Latest: Hack Facebook Password! | Wants To Hack CellPhone | Trace Mobile Number(only US) ! | New : Best FUD Keylogger!

Featured Posts

hack mobile

Tuesday, April 24, 2012

Hacker News | Pwning a Spammer's Keylogger

Posted by wildrank on Tuesday, April 24, 2012
Hello Guys..On wildhacker I have written many tutorial about How to hack email account passoword using Keylogger and many other method like phishing etc. I have also written article on Website Hacking.

But today in this article, I am going to share with you some things different than previous articles which I found while surfing the web.

You might be interested in some of our other articles:



Don’t forget to Subscribe to our RSS feed

Hacker News | Pwning a Spammer's Keylogger

Recently, while scrounging around our spam traps, I spotted this ordinary piece of malicious spam. It uses a very simple social engineering trick, speculating about Obama’s sexual orientation and a link to a supposed picture to prove it.


There was nothing special about this spam but the link with a double extension file named “you.jpg.exe” was something worth investigating. So out of curiosity, I downloaded the file and checked out what it does. First thing I did was to find out what the file really was. Of course, it was not an image file of Obama but rather a self-extracting RAR file.


Opening the file through a RAR extracting tool revealed the files inside it.


I extracted “you.jpg.exe” and inspected each of the files inside it but found they were actually encoded. So I run “you.jpg.exe” in our test machine and observed. When run, the image below popped up. Hmmm, definitely not Obama.


In the background, the following files were installed in the Windows System32 folder:
  • bpk.dat 
  • bpk.exe
  • bpkhk.dll 
  • bpkr.exe
  • inst.dat 
  • pk.bin 
 Also an autorun registry was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bpk = <%windir%\System32\bpk.exe>

Googling for the dropped files gave me a hint that what was installed was a keylogger and in particular a commercial version from Blazing Tools called Perfect Keylogger (PK). This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kids’ or employees’ browsing habits, etc. As you can imagine, PK can also be used for badness. I almost ended the analysis here. But a moment later, more interesting stuff appeared. The keylogger connected to a remote FTP server, and this allowed me to intercept the attacker’s FTP credentials.


Using the intercepted credentials, I logged in to the FTP server and found many folders containing monitoring logs and screenshots of victim’s desktop. That number of logs shows just how effective the spammer’s social engineering trick was.


Here is the WHOIS info of the FTP server:


Not wanting to stop here, I did a little more investigation on the PK installation files in my hope to uncover who was behind the campaign. According to PK’s Online Help webpage, the program uses a hotkey to unhide the admin window or the system tray icon. The default hotkey combination is CTRL+ALT+L, but this didn’t work. So brute forcing different hotkey combinations enabled me to retrieve the correct hotkey. But to my dismay, this window popped up:


Before getting dirty by reverse engineering the keylogger and trying to crack the password, I scrounged around the net for more clues. I found a personal, In his blog, he noted that the password and other configurations were stored in an encoded file named PK.BIN, and the monitored data is stored in an encoded file named BPK.DAT. He also noted that the files can be decoded with a simple XOR using the key 0xAA. I supposed that the PK version that Chris analysed was an older version, hence the XOR key 0xAA didn’t decode our configuration file. Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00:


But I was more interested in the file PK.BIN, because it stores the configuration details of the keylogger including perhaps the details of the attacker. But the file needed some extra work because of the fact that it can’t be decoded by simply XORing it with 0xAA. So my best guess was that it used a different XOR key. This is what the file looks like in text mode, hhmmm look at that repetitive pattern!


In HEX mode, I took that repetitive string and made it our XOR key:


With the help of some python script, it helped me decode the file:

if len(sys.argv) > 1:
pkhandle = open(sys.argv[1],'rb')
pkbuffer = pkhandle.read()
pkhandle.close()

key=[0x0D,0x0A,0x08,0x05,0x01,0x02,0x06,0x03,0x03,0x0E,0x01,0x08,0x03,0x0C,
0x09,0x07,0x05,0x0D,0x0C,0x0B,0x03]
dec = ''
ctr = 0
for i in range(11,len(pkbuffer)):
a= ord(pkbuffer[i])
b =key[ctr%len(key)]
          x = a^b
          dec = dec+(chr(x))
          ctr+=1

dechandle = open('pk.dec','wb')
dechandle.write(dec)
dechandle.close()

And voila! (note: I needed to blur some details to protect the victim’s data in the FTP server)


The decoded PK.BIN shows enough details to get inside the PK admin panel, including the keylogger's admin password, FTP server/credentials, PK license name and license key. I typed in the admin password and it was successful, giving me more understanding about what the attacker is capturing and more of his keylogger configuration.


In the configuration file, it revealed the name Charles Onuigbo as the PK license name.

Now, I don’t conclude that Charles Onuigbo is the attacker or indeed if he is a legitimate person. The only thing interesting about the name is that it appears to be fairly common in Nigeria, the home of email scams!

I have reported the FTP site to its ISP through abuse email, and am looking forward to this site being taken down ASAP.

Credit: blog.spiderlabs.com


If you enjoyed this post and wish to be informed whenever a new post is published, then make sure you subscribe to my regular Email Updates. Subscribe Now!



Do you need to know what your child is doing on the computer? Do you want to know what your loved ones or spouse or kids are doing on the computer? Do you need to monitor what your employees are doing during work hours? Are they working or playing?

Winspy Keylogger is intended to help you in these kind of situations. It can show you exactly what is being done on the computer at any time.

Click Here To Download Winspy Keylogger
 
  • Gmail Hacking

    Wants to hack Gmail a/c password ? Learn best way to hack Gmail password..

  • Jailbreak Iphone/iPad

    Jailbreak your Iphone or iPad to give it more functionality free of cost...

  • Facebook Hacking

    Wants to hack Facebook password? But Don't Know Where to Start? Learn here......

  • MAC Keylogger

    Learn how to hack emails account password on MAC OS using keylogger....

  • Mobile Hacking

    Monitor mobiles,Records the activities of anyone who uses iPhone, BlackBerry....

Disclaimer

ALL INFORMATION / TUTORIALS WRITTEN ON WILDHACKER.COM ARE FOR EDUCATIONAL PURPOSES ONLY, THE SITE WILDHACKER.COM IS NOT RESPONSIBLE IN ANY WAY FOR HOW THIS INFORMATION IS USED, YOU USE IT AT YOUR OWN RISK. YOU MAY LEARN ALSO HOW TO GET YOUR OWN ACCOUNT BACK FROM ALL THIS INFRORMATION.

Recipes

Unlock Iphone Website Hacking

Facebook Hacking Keylogger

Unlock Blackberry Unlock Modem

Gmail Hacking Hack Yahoo

Hotmail Hacking Remote Hacking

Traffic / Ranking

Powered by:

Wild Hacker © 2012. All Rights Reserved | Contact | Bloggers.com